adminfront 조직 통계오류 보정. Kratos Projection용 통계테이블 구조 추가

2026-05-11 13:01:55 +09:00
parent 9a64a16cb9
commit 843b4100ad
36 changed files with 2022 additions and 169 deletions
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -300,6 +300,7 @@ func main() {
 	tenantRepo := repository.NewTenantRepository(db)
 	userGroupRepo := repository.NewUserGroupRepository(db)
 	userRepo := repository.NewUserRepository(db)
+	userProjectionRepo := repository.NewUserProjectionRepository(db)
 	ketoOutboxRepo := repository.NewKetoOutboxRepository(db) // Reuse or re-init
 	rpUsageOutboxRepo := repository.NewRPUsageOutboxRepository(db)
 	worksmobileOutboxRepo := repository.NewWorksmobileOutboxRepository(db)
@@ -307,6 +308,13 @@ func main() {
 	kratosAdminService := service.NewKratosAdminService()
 	oryAdminProvider := service.NewOryProvider()

+	userProjectionSyncer := service.NewUserProjectionSyncService(kratosAdminService, userProjectionRepo)
+	if synced, err := userProjectionSyncer.Reconcile(context.Background()); err != nil {
+		slog.Error("❌ Kratos user projection sync failed", "error", err)
+	} else {
+		slog.Info("✅ Kratos user projection synced", "users", synced)
+	}
+
 	tenantService := service.NewTenantService(tenantRepo, userRepo, userGroupRepo, ketoOutboxRepo)
 	worksmobilePrivateKey, err := getEnvFileOrValue("WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY_FILE", "WORKS_ADMIN_OAUTH_CLIENT_PRIVATE_KEY", "")
 	if err != nil {
@@ -354,6 +362,7 @@ func main() {
 	auditHandler := handler.NewAuditHandler(auditRepo)
 	authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, oathkeeperRepo, tenantService, ketoService, ketoOutboxRepo, userRepo, consentRepo, kratosAdminService)
 	authHandler.HeadlessJWKS = headlessJWKSCache
+	authHandler.UserProjectionRepo = userProjectionRepo
 	authHandler.RPUserMetadataRepo = rpUserMetadataRepo
 	authHandler.RPUsageSink = rpUsageEmitter
 	adminHandler := handler.NewAdminHandler(ketoService, ketoOutboxRepo)
@@ -361,14 +370,17 @@ func main() {
 	adminHandler.TenantRepo = tenantRepo
 	adminHandler.Hydra = hydraService
 	adminHandler.AuditRepo = auditRepo
+	adminHandler.UserProjectionRepo = userProjectionRepo
+	adminHandler.UserProjectionSyncer = userProjectionSyncer
 	devHandler := handler.NewDevHandler(redisService, secretRepo, consentRepo, relyingPartyService, ketoService, ketoOutboxRepo, tenantService, developerService, authHandler)
 	devHandler.HeadlessJWKS = headlessJWKSCache
 	devHandler.AuditRepo = auditRepo
 	devHandler.RPUserMetadataRepo = rpUserMetadataRepo
-	tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService, sharedLinkService)
+	tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, userProjectionRepo, ketoService, ketoOutboxRepo, kratosAdminService, sharedLinkService)
 	userGroupHandler := handler.NewUserGroupHandler(userGroupService)
 	relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService, kratosAdminService)
 	userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo, auditRepo)
+	userHandler.UserProjectionRepo = userProjectionRepo
 	tenantHandler.SetWorksmobileSyncer(worksmobileService)
 	userHandler.SetWorksmobileSyncer(worksmobileService)
 	worksmobileHandler := handler.NewWorksmobileHandler(worksmobileService)
@@ -692,6 +704,9 @@ func main() {

 	admin.Get("/check", adminHandler.CheckAuth) // 기본 Admin 체크는 requireAdmin 없이 ApiKeyAuth로만 보호될 수 있음 (또는 추가 가능)
 	admin.Get("/stats", requireSuperAdmin, adminHandler.GetSystemStats)
+	admin.Get("/projections/users", requireSuperAdmin, adminHandler.GetUserProjectionStatus)
+	admin.Post("/projections/users/reconcile", requireSuperAdmin, adminHandler.ReconcileUserProjection)
+	admin.Post("/projections/users/reset", requireSuperAdmin, adminHandler.ResetUserProjection)
 	admin.Get("/rp-usage/daily", requireAdmin, adminHandler.GetRPUsageDaily)

 	// Tenant Management (Mixed roles, handler filters results)
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -39,6 +39,7 @@ func migrateSchemas(db *gorm.DB) error {
 		&domain.TenantDomain{},
 		&domain.User{},
 		&domain.UserLoginID{},
+		&domain.UserProjectionState{},
 		&domain.UserGroup{},
 		&domain.ApiKey{},
 		&domain.IdentityProviderConfig{},
--- a/backend/internal/domain/user_projection.go
+++ b/backend/internal/domain/user_projection.go
@@ -0,0 +1,29 @@
+package domain
+
+import "time"
+
+const (
+	UserProjectionNameKratos = "kratos_users"
+
+	UserProjectionStatusSyncing = "syncing"
+	UserProjectionStatusReady   = "ready"
+	UserProjectionStatusFailed  = "failed"
+)
+
+type UserProjectionState struct {
+	Name         string     `gorm:"primaryKey;column:name" json:"name"`
+	Status       string     `gorm:"column:status;not null" json:"status"`
+	LastSyncedAt *time.Time `gorm:"column:last_synced_at" json:"lastSyncedAt,omitempty"`
+	LastError    string     `gorm:"column:last_error;type:text" json:"lastError,omitempty"`
+	UpdatedAt    time.Time  `gorm:"column:updated_at" json:"updatedAt"`
+}
+
+type UserProjectionStatus struct {
+	Name           string     `json:"name"`
+	Status         string     `json:"status"`
+	Ready          bool       `json:"ready"`
+	LastSyncedAt   *time.Time `json:"lastSyncedAt,omitempty"`
+	LastError      string     `json:"lastError,omitempty"`
+	UpdatedAt      *time.Time `json:"updatedAt,omitempty"`
+	ProjectedUsers int64      `json:"projectedUsers"`
+}
--- a/backend/internal/handler/admin_handler.go
+++ b/backend/internal/handler/admin_handler.go
@@ -18,12 +18,14 @@ type adminHydraClientLister interface {
 }

 type AdminHandler struct {
-	Keto           service.KetoService
-	KetoOutbox     repository.KetoOutboxRepository
-	RPUsageQueries domain.RPUsageQueryRepository
-	TenantRepo     repository.TenantRepository
-	Hydra          adminHydraClientLister
-	AuditRepo      domain.AuditRepository
+	Keto                 service.KetoService
+	KetoOutbox           repository.KetoOutboxRepository
+	RPUsageQueries       domain.RPUsageQueryRepository
+	TenantRepo           repository.TenantRepository
+	Hydra                adminHydraClientLister
+	AuditRepo            domain.AuditRepository
+	UserProjectionRepo   repository.UserProjectionRepository
+	UserProjectionSyncer service.UserProjectionReconciler
 }

 func NewAdminHandler(keto service.KetoService, ketoOutbox repository.KetoOutboxRepository) *AdminHandler {
@@ -107,6 +109,50 @@ func (h *AdminHandler) CheckAuth(c *fiber.Ctx) error {
 	return c.Status(fiber.StatusOK).JSON(fiber.Map{"status": "ok"})
 }

+func requireSuperAdminProfile(c *fiber.Ctx) error {
+	profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if profile == nil || domain.NormalizeRole(profile.Role) != domain.RoleSuperAdmin {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: super_admin required"})
+	}
+	return nil
+}
+
+func (h *AdminHandler) GetUserProjectionStatus(c *fiber.Ctx) error {
+	if err := requireSuperAdminProfile(c); err != nil {
+		return err
+	}
+	if h == nil || h.UserProjectionRepo == nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "user projection service unavailable"})
+	}
+	status, err := h.UserProjectionRepo.GetStatus(c.Context())
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(status)
+}
+
+func (h *AdminHandler) ReconcileUserProjection(c *fiber.Ctx) error {
+	if err := requireSuperAdminProfile(c); err != nil {
+		return err
+	}
+	if h == nil || h.UserProjectionSyncer == nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "user projection sync service unavailable"})
+	}
+	count, err := h.UserProjectionSyncer.Reconcile(c.Context())
+	if err != nil {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(fiber.Map{
+		"status":      "success",
+		"syncedUsers": count,
+		"updatedAt":   time.Now().UTC().Format(time.RFC3339),
+	})
+}
+
+func (h *AdminHandler) ResetUserProjection(c *fiber.Ctx) error {
+	return h.ReconcileUserProjection(c)
+}
+
 // GetSystemStats returns runtime statistics for monitoring
 func (h *AdminHandler) GetSystemStats(c *fiber.Ctx) error {
 	var m runtime.MemStats
--- a/backend/internal/handler/admin_handler_test.go
+++ b/backend/internal/handler/admin_handler_test.go
@@ -5,6 +5,7 @@ import (
 	"baron-sso-backend/internal/service"
 	"context"
 	"encoding/json"
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -65,6 +66,41 @@ func (f *fakeOverviewAuditRepo) CountEventsSince(ctx context.Context, since time
 	return f.count, nil
 }

+type fakeAdminUserProjectionRepo struct {
+	status domain.UserProjectionStatus
+}
+
+func (f *fakeAdminUserProjectionRepo) IsReady(ctx context.Context) (bool, error) {
+	return f.status.Ready, nil
+}
+
+func (f *fakeAdminUserProjectionRepo) CountTenantMembers(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	return nil, nil
+}
+
+func (f *fakeAdminUserProjectionRepo) ReplaceAllFromKratos(ctx context.Context, users []domain.User) error {
+	return nil
+}
+
+func (f *fakeAdminUserProjectionRepo) MarkFailed(ctx context.Context, syncErr error) error {
+	return nil
+}
+
+func (f *fakeAdminUserProjectionRepo) GetStatus(ctx context.Context) (domain.UserProjectionStatus, error) {
+	return f.status, nil
+}
+
+type fakeAdminUserProjectionSyncer struct {
+	count int
+	err   error
+	calls int
+}
+
+func (f *fakeAdminUserProjectionSyncer) Reconcile(ctx context.Context) (int, error) {
+	f.calls++
+	return f.count, f.err
+}
+
 func TestAdminHandler_GetRPUsageDaily(t *testing.T) {
 	repo := &fakeRPUsageQueryRepo{
 		items: []domain.RPUsageDailyMetric{
@@ -111,6 +147,96 @@ func TestAdminHandler_GetRPUsageDaily(t *testing.T) {
 	require.Equal(t, uint64(12), body.Items[0].LoginRequests)
 }

+func TestAdminHandler_UserProjectionStatusRequiresSuperAdmin(t *testing.T) {
+	h := &AdminHandler{
+		UserProjectionRepo: &fakeAdminUserProjectionRepo{
+			status: domain.UserProjectionStatus{Name: domain.UserProjectionNameKratos, Status: domain.UserProjectionStatusReady, Ready: true},
+		},
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "tenant-admin", Role: domain.RoleTenantAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/projections/users", h.GetUserProjectionStatus)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/projections/users", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusForbidden, resp.StatusCode)
+}
+
+func TestAdminHandler_UserProjectionStatusReturnsProjectionStateForSuperAdmin(t *testing.T) {
+	syncedAt := time.Date(2026, 5, 11, 3, 0, 0, 0, time.UTC)
+	h := &AdminHandler{
+		UserProjectionRepo: &fakeAdminUserProjectionRepo{
+			status: domain.UserProjectionStatus{
+				Name:           domain.UserProjectionNameKratos,
+				Status:         domain.UserProjectionStatusReady,
+				Ready:          true,
+				LastSyncedAt:   &syncedAt,
+				ProjectedUsers: 152,
+			},
+		},
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "super", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Get("/api/v1/admin/projections/users", h.GetUserProjectionStatus)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/projections/users", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var body domain.UserProjectionStatus
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	require.Equal(t, domain.UserProjectionNameKratos, body.Name)
+	require.Equal(t, domain.UserProjectionStatusReady, body.Status)
+	require.True(t, body.Ready)
+	require.Equal(t, int64(152), body.ProjectedUsers)
+}
+
+func TestAdminHandler_ReconcileUserProjectionRequiresSuperAdminAndRunsSyncer(t *testing.T) {
+	syncer := &fakeAdminUserProjectionSyncer{count: 4}
+	h := &AdminHandler{UserProjectionSyncer: syncer}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "super", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Post("/api/v1/admin/projections/users/reconcile", h.ReconcileUserProjection)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/projections/users/reconcile", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	require.Equal(t, 1, syncer.calls)
+
+	var body map[string]any
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&body))
+	require.Equal(t, "success", body["status"])
+	require.Equal(t, float64(4), body["syncedUsers"])
+}
+
+func TestAdminHandler_ReconcileUserProjectionReturnsServiceUnavailableOnSyncFailure(t *testing.T) {
+	syncer := &fakeAdminUserProjectionSyncer{err: errors.New("kratos down")}
+	h := &AdminHandler{UserProjectionSyncer: syncer}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "super", Role: domain.RoleSuperAdmin})
+		return c.Next()
+	})
+	app.Post("/api/v1/admin/projections/users/reconcile", h.ReconcileUserProjection)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/admin/projections/users/reconcile", nil)
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+}
+
 func TestAdminHandler_GetRPUsageDailyChecksTenantPermission(t *testing.T) {
 	repo := &fakeRPUsageQueryRepo{}
 	keto := &fakeAdminKeto{allowed: true}
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -100,6 +100,7 @@ type AuthHandler struct {
 	KetoService        service.KetoService
 	KetoOutboxRepo     repository.KetoOutboxRepository
 	UserRepo           repository.UserRepository
+	UserProjectionRepo repository.UserProjectionRepository
 	ConsentRepo        repository.ClientConsentRepository
 	RPUserMetadataRepo repository.RPUserMetadataRepository
 	RPUsageSink        domain.RPUsageEventSink
@@ -856,6 +857,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {

 			if err := h.UserRepo.Update(ctx, u); err != nil {
 				slog.Error("[Signup] Failed to sync user to Read-Model (Local DB)", "email", u.Email, "error", err)
+				markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 			} else {
 				slog.Debug("[Signup] Synced user to Read-Model", "email", u.Email)

@@ -865,6 +867,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
 				}
 				if err := h.UserRepo.UpdateUserLoginIDs(ctx, u.ID, ids); err != nil {
 					slog.Error("[Signup] Failed to update user login IDs", "userID", u.ID, "error", err)
+					markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 				}

 				// [Keto] Sync user-tenant relationship via Outbox
@@ -7242,6 +7245,115 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
 	return profile
 }

+func (h *AuthHandler) mapKratosTraitsToLocalUser(identityID string, traits map[string]interface{}, existing *domain.User) *domain.User {
+	now := time.Now()
+	localUser := &domain.User{
+		ID:        identityID,
+		Status:    domain.UserStatusActive,
+		CreatedAt: now,
+		UpdatedAt: now,
+		Metadata:  make(domain.JSONMap),
+	}
+	if existing != nil {
+		copied := *existing
+		localUser = &copied
+		localUser.UpdatedAt = now
+		if localUser.Metadata == nil {
+			localUser.Metadata = make(domain.JSONMap)
+		}
+	}
+
+	if email := extractTraitString(traits, "email"); email != "" {
+		localUser.Email = email
+	}
+	if name := extractTraitString(traits, "name"); name != "" {
+		localUser.Name = name
+	}
+	if phone := extractTraitString(traits, "phone_number"); phone != "" {
+		localUser.Phone = phone
+	}
+	if department := extractTraitString(traits, "department"); department != "" {
+		localUser.Department = department
+	}
+	if position := extractTraitString(traits, "position"); position != "" {
+		localUser.Position = position
+	}
+	if jobTitle := extractTraitString(traits, "jobTitle"); jobTitle != "" {
+		localUser.JobTitle = jobTitle
+	}
+	if affType := extractTraitString(traits, "affiliationType"); affType != "" {
+		localUser.AffiliationType = affType
+	}
+
+	companyCode := extractTraitString(traits, "companyCode")
+	if companyCode == "" {
+		companyCode = extractTraitString(traits, "company_code")
+	}
+	if companyCode != "" {
+		localUser.CompanyCode = companyCode
+	}
+	if companyCodes := extractTraitStringArray(traits, "companyCodes"); len(companyCodes) > 0 {
+		localUser.CompanyCodes = pq.StringArray(companyCodes)
+	}
+	if tenantID := extractTraitString(traits, "tenant_id"); tenantID != "" {
+		localUser.TenantID = &tenantID
+	}
+	if relyingPartyID := extractTraitString(traits, "relying_party_id"); relyingPartyID != "" {
+		localUser.RelyingPartyID = &relyingPartyID
+	}
+
+	role := extractTraitString(traits, "grade")
+	if role == "" {
+		role = extractTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
+	}
+	localUser.Role = role
+	if localUser.Status == "" {
+		localUser.Status = domain.UserStatusActive
+	}
+	if localUser.CreatedAt.IsZero() {
+		localUser.CreatedAt = now
+	}
+
+	coreTraits := map[string]bool{
+		"email": true, "name": true, "phone_number": true,
+		"grade": true, "companyCode": true, "company_code": true,
+		"companyCodes": true, "department": true,
+		"position": true, "jobTitle": true,
+		"affiliationType": true, "role": true,
+		"tenant_id": true, "relying_party_id": true,
+		"custom_login_ids": true, "id": true,
+	}
+	metadata := make(domain.JSONMap)
+	for k, v := range traits {
+		if !coreTraits[k] {
+			metadata[k] = v
+		}
+	}
+	localUser.Metadata = metadata
+
+	return localUser
+}
+
+func (h *AuthHandler) syncUpdatedKratosUserReadModel(ctx context.Context, identityID string, traits map[string]interface{}) error {
+	if h == nil || h.UserRepo == nil {
+		return nil
+	}
+
+	var existing *domain.User
+	if current, err := h.UserRepo.FindByID(ctx, identityID); err == nil {
+		existing = current
+	} else {
+		slog.Warn("[UpdateMe] Failed to load existing local user before read-model sync", "userID", identityID, "error", err)
+	}
+
+	localUser := h.mapKratosTraitsToLocalUser(identityID, traits, existing)
+	return h.UserRepo.Update(ctx, localUser)
+}
+
 func (h *AuthHandler) applySessionInfoFromWhoami(profile *domain.UserProfileResponse, authenticatedAt, usedIdentifier string) *domain.UserProfileResponse {
 	if profile == nil {
 		return nil
@@ -7374,9 +7486,10 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
 	// [New] Local DB Sync - Sync synchronously to ensure immediate consistency
 	if h.UserRepo != nil {
 		ctx := context.Background()
-		// Also update local User record (read-model)
-		// We can fetch updated identity or just map current traits
-		// Since mapKratosIdentityToProfile is for UI, let's just use UpdateUserLoginIDs first
+		if err := h.syncUpdatedKratosUserReadModel(ctx, identityID, traits); err != nil {
+			slog.Error("[UpdateMe] Failed to sync local user read-model", "userID", identityID, "error", err)
+			markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
+		}
 		if err := h.UserRepo.UpdateUserLoginIDs(ctx, identityID, loginIDRecords); err != nil {
 			slog.Error("[UpdateMe] Failed to update user login IDs", "userID", identityID, "error", err)
 		}
--- a/backend/internal/handler/auth_handler_profile_cache_test.go
+++ b/backend/internal/handler/auth_handler_profile_cache_test.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"baron-sso-backend/internal/domain"
 	"bytes"
+	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -12,6 +13,23 @@ import (
 	"github.com/stretchr/testify/require"
 )

+type recordingUpdateMeUserRepo struct {
+	MockUserRepoForHandler
+	updated  *domain.User
+	loginIDs []domain.UserLoginID
+}
+
+func (r *recordingUpdateMeUserRepo) Update(ctx context.Context, user *domain.User) error {
+	copied := *user
+	r.updated = &copied
+	return nil
+}
+
+func (r *recordingUpdateMeUserRepo) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
+	r.loginIDs = append([]domain.UserLoginID(nil), loginIDs...)
+	return nil
+}
+
 func TestUpdateMe_InvalidatesProfileCacheForTokenSession(t *testing.T) {
 	token := "token-abc"
 	identityID := "user-1"
@@ -107,3 +125,91 @@ func TestUpdateMe_InvalidatesProfileCacheForTokenSession(t *testing.T) {
 	require.NoError(t, json.NewDecoder(getResp2.Body).Decode(&profile2))
 	require.Equal(t, "New Dept", profile2["department"])
 }
+
+func TestUpdateMe_SyncsLocalReadModelFields(t *testing.T) {
+	token := "token-sync"
+	identityID := "user-sync"
+	traits := map[string]interface{}{
+		"email":           "sync@example.com",
+		"name":            "Old Name",
+		"phone_number":    "+821012345678",
+		"department":      "Old Dept",
+		"affiliationType": "employee",
+		"companyCode":     "saman",
+		"tenant_id":       "11111111-1111-1111-1111-111111111111",
+		"role":            domain.RoleUser,
+	}
+
+	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
+		switch {
+		case r.URL.Host == "kratos.test" &&
+			r.URL.Path == "/sessions/whoami" &&
+			r.Method == http.MethodGet:
+			if r.Header.Get("X-Session-Token") != token {
+				return httpResponse(r, http.StatusUnauthorized, `{"error":"invalid token"}`), nil
+			}
+			return httpJSONAny(r, http.StatusOK, map[string]interface{}{
+				"identity": map[string]interface{}{
+					"id":     identityID,
+					"traits": traits,
+				},
+			}), nil
+
+		case r.URL.Host == "kratos.test" &&
+			r.URL.Path == "/admin/identities/"+identityID &&
+			r.Method == http.MethodPut:
+			var payload struct {
+				Traits map[string]interface{} `json:"traits"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+				return httpResponse(r, http.StatusBadRequest, `{"error":"invalid body"}`), nil
+			}
+			for k, v := range payload.Traits {
+				traits[k] = v
+			}
+			return httpResponse(r, http.StatusOK, `{"ok":true}`), nil
+		}
+
+		return httpResponse(r, http.StatusNotFound, "not found"), nil
+	})
+	setDefaultHTTPClientForTest(t, transport)
+	t.Setenv("KRATOS_PUBLIC_URL", "http://kratos.test")
+	t.Setenv("KRATOS_ADMIN_URL", "http://kratos.test")
+
+	redis := &mockRedisRepo{data: map[string]string{
+		"verify_update_phone:" + identityID + ":+821087654321": "verified",
+	}}
+	userRepo := &recordingUpdateMeUserRepo{}
+	h := &AuthHandler{
+		RedisService: redis,
+		UserRepo:     userRepo,
+	}
+	app := fiber.New()
+	app.Put("/api/v1/user/me", h.UpdateMe)
+
+	updateBody, _ := json.Marshal(map[string]interface{}{
+		"name":       "New Name",
+		"phone":      "01087654321",
+		"department": "New Dept",
+	})
+	updateReq := httptest.NewRequest(
+		http.MethodPut,
+		"/api/v1/user/me",
+		bytes.NewReader(updateBody),
+	)
+	updateReq.Header.Set("Content-Type", "application/json")
+	updateReq.Header.Set("Authorization", "Bearer "+token)
+	updateResp, err := app.Test(updateReq, -1)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, updateResp.StatusCode)
+
+	require.NotNil(t, userRepo.updated)
+	require.Equal(t, identityID, userRepo.updated.ID)
+	require.Equal(t, "sync@example.com", userRepo.updated.Email)
+	require.Equal(t, "New Name", userRepo.updated.Name)
+	require.Equal(t, "+821087654321", userRepo.updated.Phone)
+	require.Equal(t, "New Dept", userRepo.updated.Department)
+	require.Equal(t, "saman", userRepo.updated.CompanyCode)
+	require.NotNil(t, userRepo.updated.TenantID)
+	require.Equal(t, "11111111-1111-1111-1111-111111111111", *userRepo.updated.TenantID)
+}
--- a/backend/internal/handler/tenant_handler.go
+++ b/backend/internal/handler/tenant_handler.go
@@ -20,14 +20,15 @@ import (
 )

 type TenantHandler struct {
-	DB          *gorm.DB
-	Service     service.TenantService
-	UserRepo    repository.UserRepository
-	Keto        service.KetoService
-	KetoOutbox  repository.KetoOutboxRepository
-	KratosAdmin service.KratosAdminService
-	SharedLink  service.SharedLinkService
-	Worksmobile service.WorksmobileSyncer
+	DB                 *gorm.DB
+	Service            service.TenantService
+	UserRepo           repository.UserRepository
+	UserProjectionRepo repository.UserProjectionRepository
+	Keto               service.KetoService
+	KetoOutbox         repository.KetoOutboxRepository
+	KratosAdmin        service.KratosAdminService
+	SharedLink         service.SharedLinkService
+	Worksmobile        service.WorksmobileSyncer
 }

 func seedTenantDeleteError(c *fiber.Ctx) error {
@@ -47,15 +48,16 @@ func seedTenantSlugsForDeleteGuard() []string {
 	return result
 }

-func NewTenantHandler(db *gorm.DB, svc service.TenantService, userRepo repository.UserRepository, keto service.KetoService, outbox repository.KetoOutboxRepository, kratos service.KratosAdminService, sharedLink service.SharedLinkService) *TenantHandler {
+func NewTenantHandler(db *gorm.DB, svc service.TenantService, userRepo repository.UserRepository, userProjectionRepo repository.UserProjectionRepository, keto service.KetoService, outbox repository.KetoOutboxRepository, kratos service.KratosAdminService, sharedLink service.SharedLinkService) *TenantHandler {
 	return &TenantHandler{
-		DB:          db,
-		Service:     svc,
-		UserRepo:    userRepo,
-		Keto:        keto,
-		KetoOutbox:  outbox,
-		KratosAdmin: kratos,
-		SharedLink:  sharedLink,
+		DB:                 db,
+		Service:            svc,
+		UserRepo:           userRepo,
+		UserProjectionRepo: userProjectionRepo,
+		Keto:               keto,
+		KetoOutbox:         outbox,
+		KratosAdmin:        kratos,
+		SharedLink:         sharedLink,
 	}
 }

@@ -251,31 +253,15 @@ func (h *TenantHandler) ListTenants(c *fiber.Ctx) error {
 		}
 	}

-	// Fetch member counts for all tenants in one query using IDs
-	tenantIDs := make([]string, 0, len(tenants))
-	slugs := make([]string, 0, len(tenants))
-	for _, t := range tenants {
-		tenantIDs = append(tenantIDs, t.ID)
-		slugs = append(slugs, t.Slug)
+	memberCounts, err := h.countTenantMembersFromProjection(c.Context(), tenants)
+	if err != nil {
+		return errorJSON(c, fiber.StatusServiceUnavailable, err.Error())
 	}

-	idCounts, _ := h.UserRepo.CountByTenantIDs(c.Context(), tenantIDs)
-	slugCounts, _ := h.UserRepo.CountByCompanyCodes(c.Context(), slugs)
-
 	items := make([]tenantSummary, 0, len(tenants))
 	for _, t := range tenants {
 		summary := mapTenantSummary(t)
-
-		// Combine counts from both ID and Slug (Max to avoid double counting if some have one or the other)
-		idCount := idCounts[t.ID]
-		slugCount := slugCounts[strings.ToLower(t.Slug)]
-
-		if idCount > slugCount {
-			summary.MemberCount = idCount
-		} else {
-			summary.MemberCount = slugCount
-		}
-
+		summary.MemberCount = memberCounts[t.ID]
 		items = append(items, summary)
 	}

@@ -939,19 +925,13 @@ func (h *TenantHandler) GetTenant(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}

-	idCounts, _ := h.UserRepo.CountByTenantIDs(c.Context(), []string{tenant.ID})
-	slugCounts, _ := h.UserRepo.CountByCompanyCodes(c.Context(), []string{tenant.Slug})
-
-	idCount := idCounts[tenant.ID]
-	slugCount := slugCounts[strings.ToLower(tenant.Slug)]
-
-	count := idCount
-	if slugCount > idCount {
-		count = slugCount
+	memberCounts, err := h.countTenantMembersFromProjection(c.Context(), []domain.Tenant{tenant})
+	if err != nil {
+		return errorJSON(c, fiber.StatusServiceUnavailable, err.Error())
 	}

 	summary := mapTenantSummary(tenant)
-	summary.MemberCount = count
+	summary.MemberCount = memberCounts[tenant.ID]

 	return c.JSON(summary)
 }
@@ -1595,6 +1575,27 @@ func mapTenantSummary(t domain.Tenant) tenantSummary {
 	}
 }

+func (h *TenantHandler) countTenantMembersFromProjection(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	counts := make(map[string]int64, len(tenants))
+	for _, tenant := range tenants {
+		counts[tenant.ID] = 0
+	}
+	if len(tenants) == 0 {
+		return counts, nil
+	}
+	if h.UserProjectionRepo == nil {
+		return nil, errors.New("user projection is not configured")
+	}
+	ready, err := h.UserProjectionRepo.IsReady(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("user projection status unavailable: %w", err)
+	}
+	if !ready {
+		return nil, errors.New("user projection is not ready")
+	}
+	return h.UserProjectionRepo.CountTenantMembers(ctx, tenants)
+}
+
 func normalizeTenantStatus(value string) string {
 	value = strings.ToLower(strings.TrimSpace(value))
 	if value == "" {
--- a/backend/internal/handler/tenant_handler_test.go
+++ b/backend/internal/handler/tenant_handler_test.go
@@ -6,6 +6,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"io"
 	"mime/multipart"
 	"net/http"
@@ -16,6 +17,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 )

@@ -101,11 +103,15 @@ func (m *MockTenantService) ProvisionTenantByDomain(ctx context.Context, domainN

 type MockUserRepoForHandler struct {
 	mock.Mock
+	deletedIDs []string
 }

 func (m *MockUserRepoForHandler) Create(ctx context.Context, user *domain.User) error { return nil }
 func (m *MockUserRepoForHandler) Update(ctx context.Context, user *domain.User) error { return nil }
-func (m *MockUserRepoForHandler) Delete(ctx context.Context, id string) error         { return nil }
+func (m *MockUserRepoForHandler) Delete(ctx context.Context, id string) error {
+	m.deletedIDs = append(m.deletedIDs, id)
+	return nil
+}
 func (m *MockUserRepoForHandler) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
 	return nil, nil
 }
@@ -174,6 +180,38 @@ func (m *MockUserRepoForHandler) FindTenantIDByLoginID(ctx context.Context, logi
 	return "", nil
 }

+type MockUserProjectionRepoForHandler struct {
+	mock.Mock
+}
+
+func (m *MockUserProjectionRepoForHandler) IsReady(ctx context.Context) (bool, error) {
+	args := m.Called(ctx)
+	return args.Bool(0), args.Error(1)
+}
+
+func (m *MockUserProjectionRepoForHandler) GetStatus(ctx context.Context) (domain.UserProjectionStatus, error) {
+	args := m.Called(ctx)
+	return args.Get(0).(domain.UserProjectionStatus), args.Error(1)
+}
+
+func (m *MockUserProjectionRepoForHandler) CountTenantMembers(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	args := m.Called(ctx, tenants)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(map[string]int64), args.Error(1)
+}
+
+func (m *MockUserProjectionRepoForHandler) ReplaceAllFromKratos(ctx context.Context, users []domain.User) error {
+	args := m.Called(ctx, users)
+	return args.Error(0)
+}
+
+func (m *MockUserProjectionRepoForHandler) MarkFailed(ctx context.Context, syncErr error) error {
+	args := m.Called(ctx, syncErr)
+	return args.Error(0)
+}
+
 func TestTenantHandler_CreateTenant(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
@@ -202,14 +240,84 @@ func TestTenantHandler_CreateTenant(t *testing.T) {
 	assert.Equal(t, "t1", got["id"])
 }

+func TestTenantHandler_ListTenantsUsesReadyUserProjectionCountsWithoutKratos(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "00000000-0000-0000-0000-000000000001", Name: "Saman", Slug: "saman"},
+	}
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil).Once()
+	mockProjection.On("CountTenantMembers", mock.Anything, tenants).
+		Return(map[string]int64{"00000000-0000-0000-0000-000000000001": 2}, nil).Once()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var res tenantListResponse
+	json.NewDecoder(resp.Body).Decode(&res)
+
+	require.Len(t, res.Items, 1)
+	assert.Equal(t, int64(2), res.Items[0].MemberCount)
+	mockProjection.AssertExpectations(t)
+}
+
+func TestTenantHandler_ListTenantsRejectsStatsWhenUserProjectionIsNotReady(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "00000000-0000-0000-0000-000000000001", Name: "Saman", Slug: "saman"},
+	}
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(false, nil).Once()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+	mockProjection.AssertNotCalled(t, "CountTenantMembers", mock.Anything, mock.Anything)
+}
+
 func TestTenantHandler_ListTenants(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
-	mockUserRepo := new(MockUserRepoForHandler)
+	mockProjection := new(MockUserProjectionRepoForHandler)

 	h := &TenantHandler{
-		Service:  mockSvc,
-		UserRepo: mockUserRepo,
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
 	}

 	app.Use(func(c *fiber.Ctx) error {
@@ -226,11 +334,9 @@ func TestTenantHandler_ListTenants(t *testing.T) {

 	// Mocking for the new allTenants check in ListTenants
 	mockSvc.On("ListTenants", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(tenants, int64(2), nil).Maybe()
-
-	mockUserRepo.On("CountByCompanyCodes", mock.Anything, mock.Anything).
-		Return(map[string]int64{"slug-a": 5, "slug-b": 10}, nil).Maybe()
-	mockUserRepo.On("CountByTenantIDs", mock.Anything, mock.Anything).
-		Return(map[string]int64{}, nil).Maybe()
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil).Once()
+	mockProjection.On("CountTenantMembers", mock.Anything, tenants).
+		Return(map[string]int64{"t1": 5, "t2": 10}, nil).Once()

 	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
 	resp, _ := app.Test(req)
@@ -253,6 +359,84 @@ func TestTenantHandler_ListTenants(t *testing.T) {
 	}
 }

+func TestTenantHandler_ListTenantsReturnsServiceUnavailableWhenProjectionStatusFails(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "t1", Name: "Tenant A", Slug: "slug-a"},
+	}
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(false, errors.New("projection state query failed")).Once()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+	mockProjection.AssertExpectations(t)
+}
+
+func TestTenantHandler_ListTenantsUsesProjectionCountsWhenAvailable(t *testing.T) {
+	app := fiber.New()
+	mockSvc := new(MockTenantService)
+	mockUserRepo := new(MockUserRepoForHandler)
+	mockProjection := new(MockUserProjectionRepoForHandler)
+
+	h := &TenantHandler{
+		Service:            mockSvc,
+		UserRepo:           mockUserRepo,
+		UserProjectionRepo: mockProjection,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: "super_admin",
+		})
+		return c.Next()
+	})
+	app.Get("/tenants", h.ListTenants)
+
+	tenants := []domain.Tenant{
+		{ID: "00000000-0000-0000-0000-000000000001", Name: "Saman", Slug: "saman"},
+	}
+
+	mockSvc.On("ListTenants", mock.Anything, 10, 0, "").Return(tenants, int64(1), nil).Once()
+	mockProjection.On("IsReady", mock.Anything).Return(true, nil).Once()
+	mockProjection.On("CountTenantMembers", mock.Anything, tenants).
+		Return(map[string]int64{"00000000-0000-0000-0000-000000000001": 2}, nil).Once()
+
+	mockUserRepo.On("CountByCompanyCodes", mock.Anything, []string{"saman"}).
+		Return(map[string]int64{"saman": 152}, nil).Maybe()
+	mockUserRepo.On("CountByTenantIDs", mock.Anything, []string{"00000000-0000-0000-0000-000000000001"}).
+		Return(map[string]int64{"00000000-0000-0000-0000-000000000001": 152}, nil).Maybe()
+
+	req := httptest.NewRequest("GET", "/tenants?limit=10&offset=0", nil)
+	resp, _ := app.Test(req)
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	var res tenantListResponse
+	json.NewDecoder(resp.Body).Decode(&res)
+
+	assert.Len(t, res.Items, 1)
+	assert.Equal(t, int64(2), res.Items[0].MemberCount)
+	mockProjection.AssertExpectations(t)
+}
+
 func TestTenantHandler_ExportTenantsCSV(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -28,15 +28,16 @@ type OryProviderAPI interface {
 }

 type UserHandler struct {
-	KratosAdmin    service.KratosAdminService
-	OryProvider    OryProviderAPI
-	TenantService  service.TenantService
-	KetoService    service.KetoService
-	KetoOutboxRepo repository.KetoOutboxRepository
-	UserRepo       repository.UserRepository
-	UserGroupRepo  repository.UserGroupRepository
-	AuditRepo      domain.AuditRepository
-	Worksmobile    service.WorksmobileSyncer
+	KratosAdmin        service.KratosAdminService
+	OryProvider        OryProviderAPI
+	TenantService      service.TenantService
+	KetoService        service.KetoService
+	KetoOutboxRepo     repository.KetoOutboxRepository
+	UserRepo           repository.UserRepository
+	UserProjectionRepo repository.UserProjectionRepository
+	UserGroupRepo      repository.UserGroupRepository
+	AuditRepo          domain.AuditRepository
+	Worksmobile        service.WorksmobileSyncer
 }

 func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository, auditRepo domain.AuditRepository) *UserHandler {
@@ -265,7 +266,10 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
 		}
 	}

-	// 1. Try Kratos First
+	if h.KratosAdmin == nil {
+		return errorJSON(c, fiber.StatusServiceUnavailable, "identity provider not available")
+	}
+
 	identities, err := h.KratosAdmin.ListIdentities(c.Context())
 	if err == nil {
 		filtered := make([]service.KratosIdentity, 0, len(identities))
@@ -363,46 +367,8 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
 		return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
 	}

-	// 2. Fallback to Local DB if Kratos is down
-	slog.Warn("Kratos unavailable, falling back to local DB for user list", "error", err)
-
-	// If requester is not Super Admin, we should technically filter by manageable slugs in DB too.
-	// For simplicity in fallback, if tenantSlug is empty we default to their primary company code.
-	if (requesterRole == domain.RoleTenantAdmin || requesterRole == domain.RoleUser || requesterRole == domain.RoleRPAdmin) && tenantSlug == "" {
-		profile, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
-		if profile != nil && profile.CompanyCode != "" {
-			tenantSlug = profile.CompanyCode
-		}
-	}
-
-	// Fetch from UserRepo
-	users, total, err := h.UserRepo.List(c.Context(), offset, limit, search, tenantSlug)
-	if err != nil {
-		return errorJSON(c, fiber.StatusInternalServerError, "failed to fetch users from both kratos and local db")
-	}
-
-	items := make([]userSummary, 0, len(users))
-	for _, u := range users {
-		items = append(items, userSummary{
-			ID:          u.ID,
-			Email:       u.Email,
-			Name:        u.Name,
-			Phone:       u.Phone,
-			Role:        u.Role,
-			Status:      u.Status,
-			CompanyCode: u.CompanyCode,
-			Department:  u.Department,
-			CreatedAt:   u.CreatedAt.Format(time.RFC3339),
-			UpdatedAt:   u.UpdatedAt.Format(time.RFC3339),
-		})
-	}
-
-	return c.JSON(userListResponse{
-		Items:  items,
-		Total:  total,
-		Limit:  limit,
-		Offset: offset,
-	})
+	slog.Warn("Kratos unavailable for user list", "error", err)
+	return errorJSON(c, fiber.StatusServiceUnavailable, "identity provider unavailable")
 }

 func (h *UserHandler) GetUser(c *fiber.Ctx) error {
@@ -632,6 +598,7 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		// Sync to local DB (Synchronous for immediate consistency)
 		if err := h.UserRepo.Update(c.Context(), localUser); err != nil {
 			slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
+			markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 		}
 		if h.Worksmobile != nil {
 			if err := h.Worksmobile.EnqueueUserUpsertIfInScope(c.Context(), *localUser); err != nil {
@@ -645,6 +612,7 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		}
 		if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
 			slog.Error("[UserHandler] Failed to update user login IDs", "userID", localUser.ID, "error", err)
+			markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 		}

 		// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
@@ -938,6 +906,7 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {

 			if err := h.UserRepo.Update(c.Context(), localUser); err != nil {
 				slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
+				markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 			}
 			if h.Worksmobile != nil {
 				if err := h.Worksmobile.EnqueueUserUpsertIfInScope(c.Context(), *localUser); err != nil {
@@ -951,6 +920,7 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 			}
 			if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
 				slog.Error("Failed to update user login IDs in bulk", "userID", localUser.ID, "error", err)
+				markUserProjectionFailed(c.Context(), h.UserProjectionRepo, err)
 			}

 			if h.KetoOutboxRepo != nil {
@@ -1769,6 +1739,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		ctx := context.Background() // Use request context if appropriate, but sync must finish
 		if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
 			slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
+			markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 		}
 		if h.Worksmobile != nil {
 			if err := h.Worksmobile.EnqueueUserUpsertIfInScope(ctx, *updatedLocalUser); err != nil {
@@ -1779,6 +1750,7 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		// Update User Login IDs in local DB
 		if err := h.UserRepo.UpdateUserLoginIDs(ctx, updatedLocalUser.ID, loginIDRecords); err != nil {
 			slog.Error("[UserHandler] Failed to update user login IDs", "userID", updatedLocalUser.ID, "error", err)
+			markUserProjectionFailed(ctx, h.UserProjectionRepo, err)
 		}

 		// [Keto Sync] asynchronously as it's less critical for immediate UI count
@@ -1927,6 +1899,13 @@ func (h *UserHandler) DeleteUser(c *fiber.Ctx) error {
 		// Additional cleanup for tenants could be added here if we keep track of user's current tenants
 	}

+	if h.UserRepo != nil {
+		if err := h.UserRepo.Delete(context.Background(), userID); err != nil {
+			slog.Error("[UserHandler] Failed to delete local user read-model", "userID", userID, "error", err)
+			markUserProjectionFailed(context.Background(), h.UserProjectionRepo, err)
+		}
+	}
+
 	return c.SendStatus(fiber.StatusNoContent)
 }

--- a/backend/internal/handler/user_handler_test.go
+++ b/backend/internal/handler/user_handler_test.go
@@ -430,6 +430,35 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
 	})
 }

+func TestUserHandler_ListUsersReturnsServiceUnavailableWhenKratosFails(t *testing.T) {
+	app := fiber.New()
+	mockKratos := new(MockKratosAdmin)
+	mockRepo := new(MockUserRepoForHandler)
+
+	h := &UserHandler{
+		KratosAdmin: mockKratos,
+		UserRepo:    mockRepo,
+	}
+
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{
+			Role: domain.RoleSuperAdmin,
+		})
+		return c.Next()
+	})
+	app.Get("/users", h.ListUsers)
+
+	mockKratos.On("ListIdentities", mock.Anything).Return([]service.KratosIdentity{}, errors.New("kratos down")).Once()
+
+	req := httptest.NewRequest("GET", "/users?limit=10&offset=0", nil)
+	resp, err := app.Test(req)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusServiceUnavailable, resp.StatusCode)
+	mockRepo.AssertNotCalled(t, "List", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything)
+	mockKratos.AssertExpectations(t)
+}
+
 func TestUserHandler_BulkCreateUsers_HanmacEmailPolicy(t *testing.T) {
 	app := fiber.New()
 	mockKratos := new(MockKratosAdmin)
@@ -672,6 +701,27 @@ func TestUserHandler_BulkDeleteUsers(t *testing.T) {
 	})
 }

+func TestUserHandler_DeleteUserDeletesLocalReadModel(t *testing.T) {
+	app := fiber.New()
+	mockKratos := new(MockKratosAdmin)
+	userRepo := new(MockUserRepoForHandler)
+	h := &UserHandler{KratosAdmin: mockKratos, UserRepo: userRepo}
+
+	app.Delete("/users/:id", func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "admin-1", Role: domain.RoleSuperAdmin})
+		return h.DeleteUser(c)
+	})
+
+	mockKratos.On("DeleteIdentity", mock.Anything, "u-1").Return(nil).Once()
+
+	req := httptest.NewRequest(http.MethodDelete, "/users/u-1", nil)
+	resp, err := app.Test(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusNoContent, resp.StatusCode)
+	assert.Equal(t, []string{"u-1"}, userRepo.deletedIDs)
+	mockKratos.AssertExpectations(t)
+}
+
 func TestUserHandler_UpdateUser_AdminOnlyField(t *testing.T) {
 	app := fiber.New()
 	mockKratos := new(MockKratosAdmin)
--- a/backend/internal/handler/user_projection_failure.go
+++ b/backend/internal/handler/user_projection_failure.go
@@ -0,0 +1,16 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/repository"
+	"context"
+	"log/slog"
+)
+
+func markUserProjectionFailed(ctx context.Context, repo repository.UserProjectionRepository, syncErr error) {
+	if repo == nil || syncErr == nil {
+		return
+	}
+	if err := repo.MarkFailed(ctx, syncErr); err != nil {
+		slog.Error("Failed to mark user projection as failed", "syncError", syncErr, "error", err)
+	}
+}
--- a/backend/internal/repository/main_test.go
+++ b/backend/internal/repository/main_test.go
@@ -63,7 +63,7 @@ func TestMain(m *testing.M) {
 	}

 	// Auto-migrate
-	err = db.AutoMigrate(&domain.Tenant{}, &domain.TenantDomain{}, &domain.User{}, &domain.ClientConsent{}, &domain.RPUserMetadata{}, &domain.RPUsageEvent{})
+	err = db.AutoMigrate(&domain.Tenant{}, &domain.TenantDomain{}, &domain.User{}, &domain.UserLoginID{}, &domain.UserProjectionState{}, &domain.ClientConsent{}, &domain.RPUserMetadata{}, &domain.RPUsageEvent{})
 	if err != nil {
 		log.Fatalf("failed to migrate database: %s", err)
 	}
--- a/backend/internal/repository/user_projection_repository.go
+++ b/backend/internal/repository/user_projection_repository.go
@@ -0,0 +1,176 @@
+package repository
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+type UserProjectionRepository interface {
+	IsReady(ctx context.Context) (bool, error)
+	GetStatus(ctx context.Context) (domain.UserProjectionStatus, error)
+	CountTenantMembers(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error)
+	ReplaceAllFromKratos(ctx context.Context, users []domain.User) error
+	MarkFailed(ctx context.Context, syncErr error) error
+}
+
+type userProjectionRepository struct {
+	db *gorm.DB
+}
+
+func NewUserProjectionRepository(db *gorm.DB) UserProjectionRepository {
+	return &userProjectionRepository{db: db}
+}
+
+func (r *userProjectionRepository) IsReady(ctx context.Context) (bool, error) {
+	status, err := r.GetStatus(ctx)
+	if err != nil {
+		return false, err
+	}
+	return status.Ready, nil
+}
+
+func (r *userProjectionRepository) GetStatus(ctx context.Context) (domain.UserProjectionStatus, error) {
+	var projectedUsers int64
+	if err := r.db.WithContext(ctx).Model(&domain.User{}).Count(&projectedUsers).Error; err != nil {
+		return domain.UserProjectionStatus{}, err
+	}
+
+	var state domain.UserProjectionState
+	err := r.db.WithContext(ctx).First(&state, "name = ?", domain.UserProjectionNameKratos).Error
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return domain.UserProjectionStatus{
+			Name:           domain.UserProjectionNameKratos,
+			Status:         domain.UserProjectionStatusFailed,
+			Ready:          false,
+			ProjectedUsers: projectedUsers,
+		}, nil
+	}
+	if err != nil {
+		return domain.UserProjectionStatus{}, err
+	}
+	return domain.UserProjectionStatus{
+		Name:           state.Name,
+		Status:         state.Status,
+		Ready:          state.Status == domain.UserProjectionStatusReady && state.LastSyncedAt != nil,
+		LastSyncedAt:   state.LastSyncedAt,
+		LastError:      state.LastError,
+		UpdatedAt:      &state.UpdatedAt,
+		ProjectedUsers: projectedUsers,
+	}, nil
+}
+
+func (r *userProjectionRepository) CountTenantMembers(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	counts := make(map[string]int64, len(tenants))
+	for _, tenant := range tenants {
+		counts[tenant.ID] = 0
+	}
+	if len(tenants) == 0 {
+		return counts, nil
+	}
+
+	valuePlaceholders := make([]string, 0, len(tenants))
+	args := make([]interface{}, 0, len(tenants)*2)
+	for _, tenant := range tenants {
+		valuePlaceholders = append(valuePlaceholders, "(?, ?)")
+		args = append(args, strings.TrimSpace(tenant.ID), strings.TrimSpace(tenant.Slug))
+	}
+
+	query := fmt.Sprintf(`
+		WITH requested(tenant_id, slug) AS (
+			VALUES %s
+		)
+		SELECT requested.tenant_id, COUNT(DISTINCT users.id) AS count
+		FROM requested
+		LEFT JOIN users ON users.deleted_at IS NULL AND (
+			users.tenant_id::text = requested.tenant_id
+			OR LOWER(users.company_code) = LOWER(requested.slug)
+			OR EXISTS (
+				SELECT 1 FROM unnest(users.company_codes) AS company_code
+				WHERE LOWER(company_code) = LOWER(requested.slug)
+			)
+		)
+		GROUP BY requested.tenant_id
+	`, strings.Join(valuePlaceholders, ","))
+
+	type result struct {
+		TenantID string
+		Count    int64
+	}
+	var rows []result
+	if err := r.db.WithContext(ctx).Raw(query, args...).Scan(&rows).Error; err != nil {
+		return nil, err
+	}
+	for _, row := range rows {
+		counts[row.TenantID] = row.Count
+	}
+	return counts, nil
+}
+
+func (r *userProjectionRepository) ReplaceAllFromKratos(ctx context.Context, users []domain.User) error {
+	now := time.Now()
+	return r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		ids := make([]string, 0, len(users))
+		for i := range users {
+			users[i].DeletedAt = gorm.DeletedAt{}
+			if users[i].CreatedAt.IsZero() {
+				users[i].CreatedAt = now
+			}
+			if users[i].UpdatedAt.IsZero() {
+				users[i].UpdatedAt = now
+			}
+			ids = append(ids, users[i].ID)
+		}
+
+		if len(users) > 0 {
+			if err := tx.Clauses(clause.OnConflict{
+				Columns:   []clause.Column{{Name: "id"}},
+				UpdateAll: true,
+			}).Create(&users).Error; err != nil {
+				return err
+			}
+			if err := tx.Where("id NOT IN ?", ids).Delete(&domain.User{}).Error; err != nil {
+				return err
+			}
+		} else if err := tx.Where("1 = 1").Delete(&domain.User{}).Error; err != nil {
+			return err
+		}
+
+		return upsertUserProjectionState(tx, domain.UserProjectionStatusReady, &now, "")
+	})
+}
+
+func (r *userProjectionRepository) MarkFailed(ctx context.Context, syncErr error) error {
+	message := ""
+	if syncErr != nil {
+		message = syncErr.Error()
+	}
+	return r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		return upsertUserProjectionState(tx, domain.UserProjectionStatusFailed, nil, message)
+	})
+}
+
+func upsertUserProjectionState(tx *gorm.DB, status string, syncedAt *time.Time, lastError string) error {
+	state := domain.UserProjectionState{
+		Name:         domain.UserProjectionNameKratos,
+		Status:       status,
+		LastSyncedAt: syncedAt,
+		LastError:    lastError,
+		UpdatedAt:    time.Now(),
+	}
+	return tx.Clauses(clause.OnConflict{
+		Columns: []clause.Column{{Name: "name"}},
+		DoUpdates: clause.AssignmentColumns([]string{
+			"status",
+			"last_synced_at",
+			"last_error",
+			"updated_at",
+		}),
+	}).Create(&state).Error
+}
--- a/backend/internal/repository/user_projection_repository_test.go
+++ b/backend/internal/repository/user_projection_repository_test.go
@@ -0,0 +1,87 @@
+package repository
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserProjectionRepository_ReplaceAllFromKratosMarksReadyAndRemovesStaleUsers(t *testing.T) {
+	ctx := context.Background()
+	repo := NewUserProjectionRepository(testDB)
+
+	require.NoError(t, testDB.Exec("DELETE FROM user_projection_states").Error)
+	require.NoError(t, testDB.Exec("DELETE FROM user_login_ids").Error)
+	require.NoError(t, testDB.Exec("DELETE FROM users").Error)
+
+	tenantID := "10000000-0000-0000-0000-000000000001"
+	tenantSlug := "projection-saman"
+	require.NoError(t, testDB.Create(&domain.Tenant{
+		ID:     tenantID,
+		Name:   "Projection Saman",
+		Slug:   tenantSlug,
+		Type:   domain.TenantTypeCompany,
+		Status: domain.TenantStatusActive,
+	}).Error)
+	stale := &domain.User{
+		ID:          "00000000-0000-0000-0000-000000000099",
+		Email:       "stale@example.com",
+		Name:        "Stale",
+		CompanyCode: tenantSlug,
+	}
+	require.NoError(t, NewUserRepository(testDB).Create(ctx, stale))
+
+	users := []domain.User{
+		{
+			ID:          "00000000-0000-0000-0000-000000000101",
+			Email:       "one@example.com",
+			Name:        "One",
+			CompanyCode: tenantSlug,
+			TenantID:    &tenantID,
+			CreatedAt:   time.Now(),
+			UpdatedAt:   time.Now(),
+		},
+		{
+			ID:           "00000000-0000-0000-0000-000000000102",
+			Email:        "two@example.com",
+			Name:         "Two",
+			CompanyCodes: []string{tenantSlug},
+			CreatedAt:    time.Now(),
+			UpdatedAt:    time.Now(),
+		},
+	}
+
+	require.NoError(t, repo.ReplaceAllFromKratos(ctx, users))
+
+	ready, err := repo.IsReady(ctx)
+	require.NoError(t, err)
+	assert.True(t, ready)
+
+	counts, err := repo.CountTenantMembers(ctx, []domain.Tenant{
+		{ID: tenantID, Slug: tenantSlug},
+	})
+	require.NoError(t, err)
+	assert.Equal(t, int64(2), counts[tenantID])
+
+	var activeCount int64
+	require.NoError(t, testDB.Model(&domain.User{}).Count(&activeCount).Error)
+	assert.Equal(t, int64(2), activeCount)
+}
+
+func TestUserProjectionRepository_MarkFailedMakesProjectionNotReady(t *testing.T) {
+	ctx := context.Background()
+	repo := NewUserProjectionRepository(testDB)
+
+	require.NoError(t, testDB.Exec("DELETE FROM user_projection_states").Error)
+
+	require.NoError(t, repo.MarkFailed(ctx, errors.New("kratos down")))
+
+	ready, err := repo.IsReady(ctx)
+	require.NoError(t, err)
+	assert.False(t, ready)
+}
--- a/backend/internal/repository/user_repository.go
+++ b/backend/internal/repository/user_repository.go
@@ -164,9 +164,9 @@ func (r *userRepository) CountByCompanyCodes(ctx context.Context, codes []string
 	query := `
 		SELECT LOWER(comp_code) as company_code, count(DISTINCT id) as count
 		FROM (
-			SELECT id, company_code as comp_code FROM users WHERE LOWER(company_code) = ANY($1)
+			SELECT id, company_code as comp_code FROM users WHERE deleted_at IS NULL AND LOWER(company_code) = ANY($1)
 			UNION ALL
-			SELECT id, unnest(company_codes) as comp_code FROM users WHERE company_codes && $1
+			SELECT id, unnest(company_codes) as comp_code FROM users WHERE deleted_at IS NULL AND company_codes IS NOT NULL
 		) as combined
 		WHERE LOWER(comp_code) = ANY($1)
 		GROUP BY LOWER(comp_code)
--- a/backend/internal/repository/user_repository_test.go
+++ b/backend/internal/repository/user_repository_test.go
@@ -95,6 +95,25 @@ func TestUserRepository(t *testing.T) {
 		assert.Equal(t, int64(0), counts["tenant-c"])
 	})

+	t.Run("CountByCompanyCodes excludes soft deleted cache rows", func(t *testing.T) {
+		testDB.Exec("DELETE FROM users")
+
+		active := &domain.User{Email: "active@a.com", Name: "Active", CompanyCode: "tenant-a"}
+		deleted := &domain.User{Email: "deleted@a.com", Name: "Deleted", CompanyCode: "tenant-a"}
+		arrayDeleted := &domain.User{Email: "array-deleted@a.com", Name: "Array Deleted", CompanyCodes: []string{"tenant-a"}}
+
+		assert.NoError(t, repo.Create(ctx, active))
+		assert.NoError(t, repo.Create(ctx, deleted))
+		assert.NoError(t, repo.Create(ctx, arrayDeleted))
+		assert.NoError(t, repo.Delete(ctx, deleted.ID))
+		assert.NoError(t, repo.Delete(ctx, arrayDeleted.ID))
+
+		counts, err := repo.CountByCompanyCodes(ctx, []string{"tenant-a"})
+
+		assert.NoError(t, err)
+		assert.Equal(t, int64(1), counts["tenant-a"])
+	})
+
 	t.Run("Multi-Identifier Support", func(t *testing.T) {
 		_ = testDB.AutoMigrate(&domain.UserLoginID{})
 		testDB.Exec("DELETE FROM user_login_ids")
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -6,8 +6,10 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"time"

 	"github.com/google/uuid"
+	"github.com/lib/pq"
 )

 type UserGroupService interface {
@@ -210,40 +212,56 @@ func (s *userGroupService) AddMember(ctx context.Context, groupID, userID string
 		return fmt.Errorf("user group not found: %w", err)
 	}

-	// [Fix] Sync Kratos Traits & Local DB when a user is added to an organization
-	if s.kratos != nil && s.tenantRepo != nil {
-		tenant, err := s.tenantRepo.FindByID(ctx, group.TenantID)
-		if err == nil && tenant != nil {
-			// Fetch Kratos Identity
-			identity, err := s.kratos.GetIdentity(ctx, userID)
-			if err == nil && identity != nil {
-				traits := identity.Traits
-				if traits == nil {
-					traits = make(map[string]interface{})
-				}
-				traits["companyCode"] = tenant.Slug
-				traits["tenant_id"] = tenant.ID
-				traits["department"] = group.Name
+	var tenant *domain.Tenant
+	if s.tenantRepo != nil {
+		tenant, _ = s.tenantRepo.FindByID(ctx, group.TenantID)
+	}

-				// Update Kratos
-				_, updateErr := s.kratos.UpdateIdentity(ctx, userID, traits, identity.State)
-				if updateErr != nil {
-					slog.Error("Failed to update identity traits during AddMember", "user", userID, "error", updateErr)
-				}
+	var updatedIdentity *KratosIdentity
+
+	// [Fix] Sync Kratos Traits & Local DB when a user is added to an organization
+	if s.kratos != nil && tenant != nil {
+		// Fetch Kratos Identity
+		identity, err := s.kratos.GetIdentity(ctx, userID)
+		if err == nil && identity != nil {
+			traits := identity.Traits
+			if traits == nil {
+				traits = make(map[string]interface{})
+			}
+			traits["companyCode"] = tenant.Slug
+			traits["tenant_id"] = tenant.ID
+			traits["department"] = group.Name
+
+			// Update Kratos
+			updated, updateErr := s.kratos.UpdateIdentity(ctx, userID, traits, identity.State)
+			if updateErr != nil {
+				slog.Error("Failed to update identity traits during AddMember", "user", userID, "error", updateErr)
+			} else if updated != nil {
+				updatedIdentity = updated
+			} else {
+				identity.Traits = traits
+				updatedIdentity = identity
 			}
 		}
 	}

 	// Sync local user repo
-	if s.userRepo != nil && s.tenantRepo != nil {
-		tenant, _ := s.tenantRepo.FindByID(ctx, group.TenantID)
-		if tenant != nil {
-			localUser, err := s.userRepo.FindByID(ctx, userID)
-			if err == nil && localUser != nil {
-				localUser.CompanyCode = tenant.Slug
-				localUser.TenantID = &tenant.ID
-				localUser.Department = group.Name
-				_ = s.userRepo.Update(ctx, localUser)
+	if s.userRepo != nil && tenant != nil {
+		localUser, err := s.userRepo.FindByID(ctx, userID)
+		if err != nil || localUser == nil {
+			if updatedIdentity != nil {
+				localUser = mapUserGroupKratosIdentityToLocalUser(*updatedIdentity)
+			} else {
+				slog.Warn("Skipping local user sync during AddMember because identity projection is unavailable", "user", userID, "error", err)
+				localUser = nil
+			}
+		}
+		if localUser != nil {
+			localUser.CompanyCode = tenant.Slug
+			localUser.TenantID = &tenant.ID
+			localUser.Department = group.Name
+			if err := s.userRepo.Update(ctx, localUser); err != nil {
+				slog.Error("Failed to sync local user during AddMember", "user", userID, "error", err)
 			}
 		}
 	}
@@ -271,6 +289,116 @@ func (s *userGroupService) AddMember(ctx context.Context, groupID, userID string
 	return nil
 }

+func mapUserGroupKratosIdentityToLocalUser(identity KratosIdentity) *domain.User {
+	traits := identity.Traits
+	now := time.Now()
+	createdAt := identity.CreatedAt
+	if createdAt.IsZero() {
+		createdAt = now
+	}
+	updatedAt := identity.UpdatedAt
+	if updatedAt.IsZero() {
+		updatedAt = now
+	}
+
+	role := userGroupTraitString(traits, "grade")
+	if role == "" {
+		role = userGroupTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
+	}
+
+	companyCode := userGroupTraitString(traits, "companyCode")
+	if companyCode == "" {
+		companyCode = userGroupTraitString(traits, "company_code")
+	}
+
+	user := &domain.User{
+		ID:              identity.ID,
+		Email:           userGroupTraitString(traits, "email"),
+		Name:            userGroupTraitString(traits, "name"),
+		Phone:           userGroupTraitString(traits, "phone_number"),
+		Role:            role,
+		Status:          userGroupIdentityStatus(identity.State),
+		CompanyCode:     companyCode,
+		Department:      userGroupTraitString(traits, "department"),
+		Position:        userGroupTraitString(traits, "position"),
+		JobTitle:        userGroupTraitString(traits, "jobTitle"),
+		AffiliationType: userGroupTraitString(traits, "affiliationType"),
+		CreatedAt:       createdAt,
+		UpdatedAt:       updatedAt,
+		Metadata:        make(domain.JSONMap),
+	}
+	if tenantID := userGroupTraitString(traits, "tenant_id"); tenantID != "" {
+		user.TenantID = &tenantID
+	}
+	if relyingPartyID := userGroupTraitString(traits, "relying_party_id"); relyingPartyID != "" {
+		user.RelyingPartyID = &relyingPartyID
+	}
+	user.CompanyCodes = pq.StringArray(userGroupTraitStringArray(traits, "companyCodes"))
+
+	coreTraits := map[string]bool{
+		"email": true, "name": true, "phone_number": true,
+		"grade": true, "role": true, "companyCode": true, "company_code": true,
+		"companyCodes": true, "tenant_id": true, "department": true,
+		"position": true, "jobTitle": true, "affiliationType": true,
+		"relying_party_id": true, "custom_login_ids": true, "id": true,
+	}
+	for key, value := range traits {
+		if !coreTraits[key] {
+			user.Metadata[key] = value
+		}
+	}
+	return user
+}
+
+func userGroupTraitString(traits map[string]interface{}, key string) string {
+	if traits == nil {
+		return ""
+	}
+	value, ok := traits[key]
+	if !ok || value == nil {
+		return ""
+	}
+	if str, ok := value.(string); ok {
+		return str
+	}
+	return fmt.Sprint(value)
+}
+
+func userGroupTraitStringArray(traits map[string]interface{}, key string) []string {
+	if traits == nil {
+		return nil
+	}
+	switch value := traits[key].(type) {
+	case []string:
+		return value
+	case []interface{}:
+		items := make([]string, 0, len(value))
+		for _, item := range value {
+			if str, ok := item.(string); ok && str != "" {
+				items = append(items, str)
+			}
+		}
+		return items
+	default:
+		return nil
+	}
+}
+
+func userGroupIdentityStatus(state string) string {
+	switch state {
+	case "", "active":
+		return domain.UserStatusActive
+	case "inactive":
+		return domain.UserStatusInactive
+	default:
+		return state
+	}
+}
+
 func (s *userGroupService) RemoveMember(ctx context.Context, groupID, userID string) error {
 	// Validate group exists
 	if _, err := s.repo.FindByID(ctx, groupID); err != nil {
--- a/backend/internal/service/user_group_service_test.go
+++ b/backend/internal/service/user_group_service_test.go
@@ -7,6 +7,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"gorm.io/gorm"
 )

 // --- Mocks for Repositories ---
@@ -45,10 +46,15 @@ func (m *MockUserGroupRepository) ListByTenantID(ctx context.Context, tenantID s

 type MockUserRepository struct {
 	mock.Mock
+	updatedUsers []domain.User
 }

 func (m *MockUserRepository) Create(ctx context.Context, user *domain.User) error { return nil }
-func (m *MockUserRepository) Update(ctx context.Context, user *domain.User) error { return nil }
+func (m *MockUserRepository) Update(ctx context.Context, user *domain.User) error {
+	copied := *user
+	m.updatedUsers = append(m.updatedUsers, copied)
+	return nil
+}
 func (m *MockUserRepository) Delete(ctx context.Context, id string) error {
 	return m.Called(ctx, id).Error(0)
 }
@@ -270,6 +276,62 @@ func TestUserGroupService_AddMember(t *testing.T) {
 	// mockUserRepo.AssertExpectations(t)
 }

+func TestUserGroupService_AddMemberUpsertsLocalReadModelWhenMissing(t *testing.T) {
+	mockOutbox := new(MockKetoOutboxRepositoryShared)
+	mockUserGroupRepo := new(MockUserGroupRepository)
+	mockUserRepo := new(MockUserRepository)
+	mockTenantRepo := new(MockTenantRepository)
+	mockKratos := new(MockKratosAdminServiceShared)
+	svc := NewUserGroupService(mockUserGroupRepo, mockUserRepo, mockTenantRepo, nil, mockOutbox, mockKratos)
+
+	groupID := "group-1"
+	userID := "user-1"
+	tenantID := "tenant-1"
+	tenantSlug := "tenant-slug"
+
+	mockUserGroupRepo.On("FindByID", mock.Anything, groupID).Return(&domain.UserGroup{ID: groupID, TenantID: tenantID, Name: "Sales"}, nil)
+	mockUserRepo.On("FindByID", mock.Anything, userID).Return(nil, gorm.ErrRecordNotFound)
+	mockTenantRepo.On("FindByID", mock.Anything, tenantID).Return(&domain.Tenant{ID: tenantID, Slug: tenantSlug}, nil)
+	mockKratos.On("GetIdentity", mock.Anything, userID).Return(&KratosIdentity{
+		ID: userID,
+		Traits: map[string]interface{}{
+			"email": "user@test.com",
+			"name":  "User Test",
+		},
+		State: "active",
+	}, nil)
+	mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
+		return traits["companyCode"] == tenantSlug && traits["tenant_id"] == tenantID && traits["department"] == "Sales"
+	}), "active").Return(&KratosIdentity{
+		ID: userID,
+		Traits: map[string]interface{}{
+			"email":       "user@test.com",
+			"name":        "User Test",
+			"companyCode": tenantSlug,
+			"tenant_id":   tenantID,
+			"department":  "Sales",
+		},
+		State: "active",
+	}, nil)
+	mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
+		return e.Namespace == "Tenant" && e.Object == groupID && e.Relation == "members" && e.Subject == "User:"+userID
+	})).Return(nil).Once()
+	mockOutbox.On("Create", mock.Anything, mock.MatchedBy(func(e *domain.KetoOutbox) bool {
+		return e.Namespace == "Tenant" && e.Object == tenantID && e.Relation == "members" && e.Subject == "User:"+userID
+	})).Return(nil).Once()
+
+	err := svc.AddMember(context.Background(), groupID, userID)
+	assert.NoError(t, err)
+	assert.Len(t, mockUserRepo.updatedUsers, 1)
+	assert.Equal(t, userID, mockUserRepo.updatedUsers[0].ID)
+	assert.Equal(t, tenantSlug, mockUserRepo.updatedUsers[0].CompanyCode)
+	assert.NotNil(t, mockUserRepo.updatedUsers[0].TenantID)
+	assert.Equal(t, tenantID, *mockUserRepo.updatedUsers[0].TenantID)
+	assert.Equal(t, "Sales", mockUserRepo.updatedUsers[0].Department)
+	mockOutbox.AssertExpectations(t)
+	mockKratos.AssertExpectations(t)
+}
+
 func TestUserGroupService_AssignRoleToTenant(t *testing.T) {
 	mockOutbox := new(MockKetoOutboxRepositoryShared)
 	mockUserGroupRepo := new(MockUserGroupRepository)
--- a/backend/internal/service/user_projection_sync_service.go
+++ b/backend/internal/service/user_projection_sync_service.go
@@ -0,0 +1,163 @@
+package service
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/repository"
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/lib/pq"
+)
+
+type UserProjectionSyncService struct {
+	kratos KratosAdminService
+	repo   repository.UserProjectionRepository
+}
+
+type UserProjectionReconciler interface {
+	Reconcile(ctx context.Context) (int, error)
+}
+
+func NewUserProjectionSyncService(kratos KratosAdminService, repo repository.UserProjectionRepository) *UserProjectionSyncService {
+	return &UserProjectionSyncService{
+		kratos: kratos,
+		repo:   repo,
+	}
+}
+
+func (s *UserProjectionSyncService) Reconcile(ctx context.Context) (int, error) {
+	if s == nil || s.kratos == nil || s.repo == nil {
+		return 0, fmt.Errorf("user projection sync dependencies are not configured")
+	}
+
+	identities, err := s.kratos.ListIdentities(ctx)
+	if err != nil {
+		_ = s.repo.MarkFailed(ctx, err)
+		return 0, err
+	}
+
+	users := make([]domain.User, 0, len(identities))
+	for _, identity := range identities {
+		users = append(users, MapKratosIdentityToLocalUser(identity))
+	}
+	if err := s.repo.ReplaceAllFromKratos(ctx, users); err != nil {
+		_ = s.repo.MarkFailed(ctx, err)
+		return 0, err
+	}
+	return len(users), nil
+}
+
+func MapKratosIdentityToLocalUser(identity KratosIdentity) domain.User {
+	traits := identity.Traits
+	now := time.Now()
+	createdAt := identity.CreatedAt
+	if createdAt.IsZero() {
+		createdAt = now
+	}
+	updatedAt := identity.UpdatedAt
+	if updatedAt.IsZero() {
+		updatedAt = now
+	}
+
+	role := kratosProjectionTraitString(traits, "grade")
+	if role == "" {
+		role = kratosProjectionTraitString(traits, "role")
+	}
+	role = domain.NormalizeRole(role)
+	if role == "" {
+		role = domain.RoleUser
+	}
+
+	companyCode := kratosProjectionTraitString(traits, "companyCode")
+	if companyCode == "" {
+		companyCode = kratosProjectionTraitString(traits, "company_code")
+	}
+
+	user := domain.User{
+		ID:              identity.ID,
+		Email:           kratosProjectionTraitString(traits, "email"),
+		Name:            kratosProjectionTraitString(traits, "name"),
+		Phone:           kratosProjectionTraitString(traits, "phone_number"),
+		Role:            role,
+		Status:          normalizeProjectionStatus(identity.State),
+		CompanyCode:     companyCode,
+		CompanyCodes:    pq.StringArray(kratosProjectionTraitStringArray(traits, "companyCodes")),
+		Department:      kratosProjectionTraitString(traits, "department"),
+		Position:        kratosProjectionTraitString(traits, "position"),
+		JobTitle:        kratosProjectionTraitString(traits, "jobTitle"),
+		AffiliationType: kratosProjectionTraitString(traits, "affiliationType"),
+		CreatedAt:       createdAt,
+		UpdatedAt:       updatedAt,
+		Metadata:        make(domain.JSONMap),
+	}
+	if tenantID := kratosProjectionTraitString(traits, "tenant_id"); tenantID != "" {
+		user.TenantID = &tenantID
+	}
+	if relyingPartyID := kratosProjectionTraitString(traits, "relying_party_id"); relyingPartyID != "" {
+		user.RelyingPartyID = &relyingPartyID
+	}
+
+	coreTraits := map[string]bool{
+		"email": true, "name": true, "phone_number": true,
+		"grade": true, "role": true,
+		"companyCode": true, "company_code": true, "companyCodes": true,
+		"tenant_id": true, "department": true,
+		"position": true, "jobTitle": true, "affiliationType": true,
+		"relying_party_id": true, "custom_login_ids": true, "id": true,
+	}
+	for key, value := range traits {
+		if !coreTraits[key] {
+			user.Metadata[key] = value
+		}
+	}
+	return user
+}
+
+func kratosProjectionTraitString(traits map[string]interface{}, key string) string {
+	if traits == nil {
+		return ""
+	}
+	value, ok := traits[key]
+	if !ok || value == nil {
+		return ""
+	}
+	if str, ok := value.(string); ok {
+		return str
+	}
+	return fmt.Sprint(value)
+}
+
+func kratosProjectionTraitStringArray(traits map[string]interface{}, key string) []string {
+	if traits == nil {
+		return nil
+	}
+	switch value := traits[key].(type) {
+	case []string:
+		return value
+	case []interface{}:
+		items := make([]string, 0, len(value))
+		for _, item := range value {
+			if str, ok := item.(string); ok && strings.TrimSpace(str) != "" {
+				items = append(items, str)
+			}
+		}
+		return items
+	default:
+		return nil
+	}
+}
+
+func normalizeProjectionStatus(state string) string {
+	switch strings.ToLower(strings.TrimSpace(state)) {
+	case "blocked", domain.UserStatusInactive:
+		return domain.UserStatusInactive
+	case domain.UserStatusSuspended:
+		return domain.UserStatusSuspended
+	case domain.UserStatusLeaveOfAbsence:
+		return domain.UserStatusLeaveOfAbsence
+	default:
+		return domain.UserStatusActive
+	}
+}
--- a/backend/internal/service/user_projection_sync_service_test.go
+++ b/backend/internal/service/user_projection_sync_service_test.go
@@ -0,0 +1,98 @@
+package service
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type fakeUserProjectionRepo struct {
+	replacedUsers []domain.User
+	failedErr     error
+	replaceErr    error
+}
+
+func (f *fakeUserProjectionRepo) IsReady(ctx context.Context) (bool, error) {
+	return false, nil
+}
+
+func (f *fakeUserProjectionRepo) GetStatus(ctx context.Context) (domain.UserProjectionStatus, error) {
+	return domain.UserProjectionStatus{}, nil
+}
+
+func (f *fakeUserProjectionRepo) CountTenantMembers(ctx context.Context, tenants []domain.Tenant) (map[string]int64, error) {
+	return nil, nil
+}
+
+func (f *fakeUserProjectionRepo) ReplaceAllFromKratos(ctx context.Context, users []domain.User) error {
+	f.replacedUsers = append([]domain.User(nil), users...)
+	return f.replaceErr
+}
+
+func (f *fakeUserProjectionRepo) MarkFailed(ctx context.Context, syncErr error) error {
+	f.failedErr = syncErr
+	return nil
+}
+
+func TestUserProjectionSyncService_ReconcileReplacesProjectionFromKratos(t *testing.T) {
+	ctx := context.Background()
+	kratos := new(MockKratosAdminServiceShared)
+	repo := &fakeUserProjectionRepo{}
+	svc := NewUserProjectionSyncService(kratos, repo)
+
+	tenantID := "00000000-0000-0000-0000-000000000001"
+	kratos.On("ListIdentities", ctx).Return([]KratosIdentity{
+		{
+			ID: "00000000-0000-0000-0000-000000000101",
+			Traits: map[string]interface{}{
+				"email":        "one@example.com",
+				"name":         "One",
+				"phone_number": "+821012345678",
+				"companyCode":  "saman",
+				"companyCodes": []interface{}{"saman", "group-a"},
+				"tenant_id":    tenantID,
+				"department":   "DX",
+				"customAttr":   "kept",
+			},
+			State: "active",
+		},
+	}, nil).Once()
+
+	count, err := svc.Reconcile(ctx)
+
+	require.NoError(t, err)
+	assert.Equal(t, 1, count)
+	require.Len(t, repo.replacedUsers, 1)
+	assert.Equal(t, "one@example.com", repo.replacedUsers[0].Email)
+	assert.Equal(t, "One", repo.replacedUsers[0].Name)
+	assert.Equal(t, "+821012345678", repo.replacedUsers[0].Phone)
+	assert.Equal(t, "saman", repo.replacedUsers[0].CompanyCode)
+	assert.Equal(t, []string{"saman", "group-a"}, []string(repo.replacedUsers[0].CompanyCodes))
+	require.NotNil(t, repo.replacedUsers[0].TenantID)
+	assert.Equal(t, tenantID, *repo.replacedUsers[0].TenantID)
+	assert.Equal(t, "kept", repo.replacedUsers[0].Metadata["customAttr"])
+	assert.NoError(t, repo.failedErr)
+	kratos.AssertExpectations(t)
+}
+
+func TestUserProjectionSyncService_ReconcileMarksFailedWhenKratosFails(t *testing.T) {
+	ctx := context.Background()
+	kratos := new(MockKratosAdminServiceShared)
+	repo := &fakeUserProjectionRepo{}
+	svc := NewUserProjectionSyncService(kratos, repo)
+
+	expectedErr := errors.New("kratos down")
+	kratos.On("ListIdentities", ctx).Return([]KratosIdentity{}, expectedErr).Once()
+
+	count, err := svc.Reconcile(ctx)
+
+	assert.Equal(t, 0, count)
+	assert.ErrorIs(t, err, expectedErr)
+	assert.ErrorIs(t, repo.failedErr, expectedErr)
+	assert.Empty(t, repo.replacedUsers)
+	kratos.AssertExpectations(t)
+}